Re: [Wireshark-users] Wireshark sold on ebay
Joerg Mayer schrieb: On Mon, Feb 11, 2008 at 02:19:43PM -0800, Ruben Junkie wrote: So I was lurking around eBay and found that seller redlinedithttp://myworld.ebay.com/redlinedit/is selling copies of wireshark which is totally wrong ... this people who think that they can take advantage of free distributed software must be stopped ... http://cgi.ebay.com/World-Leading-Internet-Network-Analyzer-Sniffer_W0QQitemZ260211008887QQihZ016QQcategoryZ3806QQssPageNameZWDVWQQrdZ1QQcmdZViewItem also I dugged the story for more media coverage .. http://digg.com/linux_unix/Wireshark_sold_on_eBay_Bad_seller_BAD AFAIKT, the offer is perfectly legal. In return, I could legally sell you gcc or other Free Software. Free in Free Software means freedom of speech, not free as in free beer. The GPL does not forbid to sell this software, nor do we. The only thing that the seller could do to make this sale illegal would be to violate the GPL by lets say remove the copyright/license information and the like or by refusing to provide the wireshark source on request of a buyer. But unless (s)he does this, they are perfectly ok. Hey, someone paid around 12 Euros for a wireless extension cord (aka air), so why not sell Wireshark? If someone buys wireshark who would otherwise not have found and used Wireshark: Great! You are perfectly right - as long as the terms of the GPL are fulfilled, this is ok for me! However, you sometimes wonder how strange the world will get from here - seen from today where it's already very strange ;-) But it seems to be the business model of this seller, on related auctions there's also audacity, americas army, (blender?) ... all at least freeware! Regards, ULFL P.S: He's not alone: http://cgi.ebay.com/Advanced-Internet-Sniffer-Network-Analyzer-WEP_W0QQitemZ250213230167QQihZ015QQcategoryZ68258QQssPageNameZWDVWQQrdZ1QQcmdZViewItem ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark sold on ebay
Guy Harris schrieb: Joerg Mayer wrote: AFAIKT, the offer is perfectly legal. Legal, but some would consider it wrong, as a customer might not know that a version is available for USD/EUR/UKP/RMB/JPY/CAD/BRL/RUB/INR/{ok, ok, we get it -ed :-)} 0.00 from http://www.wireshark.org. I don't know 1) whether it's possible to post a comment on an item in eBay (such as hey, you can get this software for free from www.wireshark.org) or 2) if it's possible, whether you have to have an eBay account to do that. You can send the seller a comment. But AFAIK, it is at the sellers discretion if it's placed on the items page - which I guess won't happen for obvious reasons ;-) Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark sold on ebay
Gerald Combs schrieb: Ulf Lamping wrote: You are perfectly right - as long as the terms of the GPL are fulfilled, this is ok for me! The phrase I am authorized reseller for this software at the end of the auction description is misleading. Wireshark University and CACE have permission to use the trademark for commercial purposes. This guy (or gal) doesn't. Well, this might be misleading - but would be hard to stand at court I guess. A different thing is the use of the Wireshark logo (the one with the shark). AFAIK, this logo was once used on the webpage (which is *not* open sourced) and is not in the subversion, and unless you've not released it anywhere else into the open source world, this logo is still copyrighted by you and this one has no right at all to use it. Regards, ULFL P.S: As the term digital delivery already appears at the eBay overview page shipping column, this seems to be nothing special. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Which hardware
ronnie sahlberg schrieb: Use a linux box to run wireshark on instead. It is cheaper than terminal servers and as a bonuson the same hardware, processing the same capture files, wireshark will run several times faster on linux than w2k3 Do you have any hard facts, or is this the usual Linux-FUD? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Which hardware
ronnie sahlberg schrieb: Personal first hand experience. SCNR to ask your motivations ;-) I have tested this myself on several PCs and compared. The same host, the same capture file, the same preferences using the same SVN version of wireshark it ran 2+ times faster when booting into linux than w2k and w2k3. Bear in mind, the tests were all for semi large capture files in the range 10-200MByte and testing how long it takes to load a trace, how long it takes to filter a trace, how long it takes to bring up the tcp sequence number graph. I think it was something like 5-6 different single and multi cpu systems. (multiprocessing is a bit pointless with wireshark) Well, while *capturing*, the capture and display tasks could run on two different CPU's - however, I've never checked if they really do ;-) The purpose was to find which hw+sw config would perform the fastest a large group of users that would spend significant amount of time looking at and filtering and analyzing 100MB - 1GByte large capture files. I dont care what systems the end users would end up using, they just wanted to know : which hw+sw combination should we use to make analyzing/filtering of large captures as fast as possible. Right! And I don't have any problems with your recommendation as you have tested it :-) That is probably an effect of linux having wastly better memory management than windows. Oh, come on! Please don't spread FUD just as Microsoft does!!! Simply stating that Wireshark is 2+ times faster on Linux than on Windows, so this is probably caused by worse memory management on Windows is just FUD. Keep in mind that the libraries used to run Wireshark/tshark all have their origins in the Unix world, so they're probably optimized here and ported more or less well to the Windows platform. For example, GTK+ is running almost natively on X (basically it was build as a replacement for motif) and was much later ported to Windows. Therefore it's just very likely that GTK+ is running faster on Linux than on Windows. Following the same argumentation, using a fast commercial analyzer (highly optimized for) Windows compared to Wireshark would clearly state the superior Windows platform ... Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Showing TCAP packets : Ethereal vs. Wireshark
Marc Grün schrieb: Hello, I'm doing communication between two machines using the SCCP User Adaptation (SUA) protocol. Using both Ethereal and Wireshark to capture the corresponding packets, I realized that Ethereal shows the connectionless datagram ones as TCAP CLDT (and they are said to be malformed...) whereas Wireshark shows the same as SUA (RFC 3868) CLDT. Where does this divergence come from ? More than a year of Wireshark development? Ethereal is just dead ... Thanks Ne gardez plus qu'une seule adresse mail ! Copiez vos mails http://fr.rd.yahoo.com/mail/mail_taglines/trueswitch/*http://www.trueswitch.com/yahoo-fr/ vers Yahoo! Mail ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] unique identifier for remote PC
d a schrieb: If I use wireshark to capture a tcp exchange between my PC and another PC (a file transfer for example) is there any information unique to the remote PC that would identify it later upon first hand visual inspection? I originally thought that the MAC address in Wireshark would achieve this however it looks like instead Im getting the MAC address of the ISP's router rather than the remote PCs NIC. If your remote PC is behind a router, take a look the PC's IP address. The router will exchange the MAC addresses. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Portable Wireshark Settings
Guy Harris schrieb: Ulf Lamping wrote: No. For an U3 package, you'll need an U3 stick to work properly. The U3 system will set some special U3 environment variables and that's the problem here. So how are non-U3 portable applications produced for Windows? Are special builds done, or is the application otherwise induced to store its settings on the application medium rather than on the system disk or in the user's home directory As only the personal setting paths are affected, both would be possible. The best looking collection of portable applications for Win32 is http://portableapps.com/ Some time ago, John T. Haller from that page asked for a portable version of Wireshark - exactly for that reason, I've introduced the -P option ;-) http://portableapps.com/development, briefly describes how to build such a portable version. Regards, ULFL P.S: a portable version could also serve as the zip only Win32 version that was also requested some time ago ... ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Portable Wireshark Settings
Misc schrieb: Guy Harris wrote: Misc wrote: With truly portable application, you just put it somewhere and it works, with all its prior settings intact. That's what I need. I understand that I'd still have to correct the path in -P switch every time I move Wireshark to a different folder. So I guess it's not TRULY PORTABLE yet, but at least it's moving in right direction :) Well, you'll probably never have the standard Wireshark distribution be portable out of the box, as people NOT using it as a portable application would want it to store their preferences in their profile directory or whatever it's called. What you might get is a separate build, or a separate package, that somehow forces Wireshark to run in a portable mode. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Guy, we are talking here about existing portable Wireshark U3 package, available from http://www.wireshark.org/download.html No, at least I'm talking about existing U3 Wireshark package here. Where did you found the word portable? Or at least it's supposed to be portable, and being advertized as designed for USB sticks. It's been designed for *U3* USB sticks - therefore the name - not for common *none U3* sticks. That's the package that I've been struggling with. This portable Wireshark couldn't find its preferences in its own folder and needed to be pointed to its own app folder with command line args :( It's perfectly working with U3 USB Sticks AFAIK. Go Google yourself for U3 before firing any more of those uninformed mails to the list ... Regards, ULFL P.S: I guess your demanding tone and uninformed mails won't encourage any of the developers to spend some of their own spare time to improve the situation here (at least I won't do) ... ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Breaking up a capture file
Andrew Chalk schrieb: I have some huge capture files that are to large to load into Ethereal (v0.10.12). Please update from your ancient Ethereal to a recent Wireshark version :-) Is there a utility to break up a file into chunks of a specified size so that they are always broken at a capture record boundary? http://www.wireshark.org/docs/man-pages/editcap.html is what you need. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] white text can't view selections
[EMAIL PROTECTED] wrote: Hi, I've just downloaded and installed wirshark 0.99.5 onto my windows XP machine that already had ethereal 0.99.0. i can launch wireshark, but the text that should be vlack is white. This makes it impossible to read items such as interface selection, because the background and forground text are both white. When I start wireshare, the version disclaimer is also white text. I've installed this same distribution onto another XP and Windows 2000 hosts and there is no issue. Anyone see this before? I've tried to uninstall ethereal and wireshare and winpcap but no luck. I even verified in the windows appearance area that the text is not set to white. Known problem, if you use a 256 color only display (e.g. terminal services), Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Sniffing Cisco VPN packets
George A. Kantsios wrote: Need a little help and appreciate any guidance and direction you can offer. I am trying to sniff packets before and after a cisco VPN adapter on a Windows XP box. When I sniff the VPN adapter I see the unencrypted packets. When I sniff the physical network device, I get almost no traffic, even when I send a huge file over the network? Why can't I see the encrypted packets Well, given the fact that there were lot's of problems with VPN software (incl. Cisco VPN) reported - from not seeing any interfaces to crashing various software parts, I would say you can be glad that you see any traffic at all ... See http://wiki.wireshark.org/CaptureSetup/InterferingSoftware for some more details and http://wiki.wireshark.org/CaptureSetup in general. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Writing/sharing dissectors
Kobboi wrote: Hello, Some very basic questions, hope you don't mind my asking them... Where can I find a recent HOWTO on writing your own dissector for a proprietary protocol? Is there some basic roadmap that can help me keep an overview and not lose the way? When I have finished writing it, how do I easily share my dissector? Does everyone who wants to use it need to recompile their Wireshark? Any important Windows/Linux differences? (I'll need to support both platforms) Thanks for the info! See: http://wiki.wireshark.org/Development Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] [Wireshark-dev] Support for Microsoft LLTD Protocol
ronnie sahlberg wrote: This document contains a lot of information about this protocol (and others) and would likely be very useful for someone planning to start implementing a dissector. http://www.symantec.com/avcenter/reference/ATR-VistaAttackSurface.pdf Maybe it's time for a Wiki page? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] locking up when viewing video captures
phat pig wrote: I have been successful in reassembling image files (gif,jpg) from my capture files. These are usually much smaller than videos ;-) I saw an archived thread where someone was successful in reassembling videos using the same method. So far though, wireshark is locking up when I click on 'media type'. Size does not seem to matter. Sure? Please try a *very* short video file and wait for a *very* long time (minutes!) if WS does react in the end. WS does scale very bad when it comes to show huge chunks of data (meaning huge 100k). Is there a tutorial on reassembling images and videos? No, but you may write one ... BTW: In the recent developer builds was a feature added to export all kinds of HTTP objects which I guess is what you are doing here. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark 802.11 WPA Decrypti on unable to get Group Keys
how do you capture data with WinXp and Wireshark? I have wireshark in my laptop but I not capture data with my card (Intel Pro/Wireless 2915ABG). My laptop is Centrino technology. Thank's for tour help. Try switch off promiscuous mode. See http://wiki.wireshark.org/CaptureSetup and especially http://wiki.wireshark.org/CaptureSetup/WLAN Regards, ULFL _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] how to filter a port?
David Drexler wrote: It's either to or from 'http'. I also tried tcp.port != 80 same results. I want to run the capture realtime and only see the traffic that interests me. Your display filter falls under the A common mistake, try !(tcp.port == 80) instead, which is not the same. HTTP can be transported over various TCP ports - not only port 80. See: http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol?action=showredirect=HTTP for protocol info http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html for capture filters and http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html for display filters Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] NT no longer supported as of 0.99.5?
Graham Bloice wrote: Michael Zuffoletti wrote: I installed 0.99.5 on Win NT. On running wireshark, I get the message: the procedure entry point PrintDlgExW could not be located in the dynamic link library COMDLG32.DLL The release notes mention that 95, 98, and ME are no longer supported. Should NT be on that list also? 0.99.4 works for me on NT. Yep, PrintDlgEx is W2K or later. Looks like it's time to say goodbye to NT support for Wireshark. I would think it likely that the function is only used in the GTK2 branch. Have you tried the GTK1 version? Yes, it's time to drop support for NT 4.0 Interestingly Bugzilla 1393 (http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1393) also notes that NT4 is no longer working, but mentions lack of SHGetSpecialFolderPath()! It seems that none of the WS developers is actually working on or for NT4 - Microsoft has dropped support for NT4 at the end of 2005. You may just keep using WS 0.99.4 ... Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] I've officially dropped support for Windows NT 4.0 ...
Hi List! After a long time, I felt that it was time to drop support for Windows NT 4.0! The reasons for this step were: - Microsoft itself dropped support for Windows NT 4.0 at the end of 2005, see http://www.microsoft.com/technet/archive/winntas/ntendlife.mspx?mfr=true - the libraries we use (e.g. GTK 2.x) seem to currently drop support for NT 4.0 as well - none of the developers seems to work / test on NT 4.0 any longer - and therefore is interested in spending any effort So I've changed the following: - the Windows installer won't install on NT 4.0 and just quits with a warning in this case (just as it does for Win9x based systems already today) - the User's Guide System Requirements section notes that NT 4.0 is no longer supported (well, it noted that already before) However, support for NT 4.0 wouldn't be impossible even in the future - there's only no one willing to spend the required effort to keep it work. Running Wireshark on NT 4.0 - at least on the GTK1 port - should be possible for the foreseeable future - with some effort of a skilled developer. As there seems to be more desirable goals to spend effort than supporting NT 4.0, the support has dropped in effect from 0.99.5 ... Regards, ULFL P.S: Don't flame me on this decision, as long as you are willing to do the actual work yourself! ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Save the bytes of a particular field from all the displayed packets in one file
Stephen Fisher wrote: I have committed an initial version of a content listing/saving feature for the HTTP protocol. First of all, thanks for this - it's a feature long awaited IMO. I would appreciate if anyone could try it out and give feedback on the implementation and if they can think of a better top-level menu to put it under (View perhaps?). Basically, the View menu is about *how* things are displayed, and not to display new things - so this is not the place to go. Analyze or Statistics is the place to go - IMO it might better be placed in Analyze as this feature is not really about Statistics. However, both menus have become a bit interchangeable over time. Some things I've noticed: - this announcement should have gone to the developer list first (most developer related discussion will go to the users list now) - the buttons don't have a tooltip (should be easy to add) - when selecting a row, the packet list should jump to that packet (as other similar dialogs do it) - save fails if the suggested filename contains bad characters (e.g. question mark), which often happens. Unfortunately, I don't know a good character encapsulation for this. - no Save All button (to save all files in one rush) - not mentioned in the User's Guide (that's ok as this feature is currently experimental) - but shall be added *before* the next release - no Help button to point to the none existing User's Guide section ;-) Anyway, this is a really good start of this topic - now it's about getting it bullet proof ;-) Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Save the bytes of a particular field from all the displayed packets in one file
Sake Blok wrote: Would't this be option be feeling more at home under the File menu? It is about exporting parts of the data-stream. My suggestion would be: File | Export | Objects. Yes, you're right, File is the place to go. File / Export / HTTP Objects might be ok. Do we want to have a packet list context menu item like Export / HTTP Objects to save a/the object(s) of a single packet? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root
Hank Leininger wrote: The other day, I wanted to run wireshark live, i.e. capture and view some packets, rather than just feed it an existing pcap. On Linux, I found this was basically impossible (longtime users probably know this already): - By default no part of wireshark is installed setuid - There is an --enable-setuid-install configure option, which installs both wireshark and dumpcap setuid root - However, as mentioned in the docs, gtk apps don't like running as root. And besides, this just seemed dumb. - So, too, did actually being root to run (all of) wireshark. - I tried chmod +s'ing only dumpcap. This gives it the needed privs, _but_ it creates a tempfile with which to communicate with wireshark that is mode 600 -- so when it runs as root, the rest of wireshark cannot read the file. While on a plane back home I whipped up the attached patch to dumpcap to drop elevated privileges as soon as the pcap socket has been opened. Then I can create a 'sniffer' group, and chgrp sniffer, chmod 4110 the dumpcap binary. Tested for a whole five minutes, seems to work fine: wireshark launches dumpcap to sniff, opens the raw capture socket, drops root, opens the output file, and starts reading/writing packets. It looks to me like every time a new capture is started, dumpcap is respawned, so euid0 is not needed again. Works with tshark as well. At the time, I had not yet read the discussions on the wireshark lists (and the ethereal ones years before that) about how privilege separation would be a better way to go, and about how the dissectors would best run not just non-root, but non-user either--that is, they should run as a dedicated, chrooted user. I agree that that would be ideal. But in the meantime, I think something like this would be better than nothing. Hi Hank! I've spend a lot of time to carve out dumpcap into it's own process, to make things you've explained actually possible. Please note that the Wireshark/dumpcap combination misses some things like the capture live list and alike, which currently will call pcap functions directly. Getting the capture interface specific infos should go into dumpcap as well, or a new process capifinfo or alike to avoid privilege problems on this task. As I'm a Win32 developer, I won't tweak the UNIX specific things and need help from other UNIX developers. Unfortunately, NONE of the UNIX developer found the time / motivation to spend some time on this topic. So basically I've dropped my effort on this completely, as I found no assistance to this - only complains when will it be finished - which is not really motivating in itself ... BTW: your patch will break Win32 compatibility, as setgid and alike doesn't exist on Win32 (and probably not on all UNIX derivates we support as well) - a simple #ifndef _WIN32 will solve this (for WIN32, but probably not for other UNIXes). Regards, ULFL P.S: This motivation might change when I'll start working on Vista, as User Account Control is basically the same thing. However, the switch to Vista might take some time ... ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Modification request: csv export
Hi List! There seems to be some confusion about the csv format in general, and I guess about our export implementation as well. Therefore I've added a Wiki page (http://wiki.wireshark.org/Development/CSVExport) where information can be collected - please don't add information that you *think* is valid, only that you are know for sure/have tested. First of all we should make sure that we are all talking about the same. 1. We have several places to export csv's now, and my feeling is that there are more than one implementation of the CSV export. Identify all places and make sure the implementation shares the same code. 2. Identify the applications to import our format (Excel, but there may be others as well), and find out the required format for these applications Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] V0.99.5 Coloring Rules
Keith French wrote: After renaming the color filters file, Wireshark then used the default colors. If I disabled colors from the view menu, delete the default ones in the color filters, then reimport mine re-enable colors, it is still the same. Yes, you did something completely useless, so there's no change :-) Well, did you read the first point I've noted *literally*?!? Did you renamed the colorfilters file in C:\Program Files (as these *are* the default colors) - and restart? Don't do anything with the view menu and import/export, that won't help. As far as I know there are no special (international) characters in my personal profile folder. Your profile path doesn't look bad, so that's not the problem. I have attached a zip containing the color filters, preferences dfilters cfilters and the screenshot you requested. Plus a file called My original color filter file which is the one that works fine with 0.99.4. Could you open a bug report on bugzilla for this (and add the zip file), so it won't get lost? Regards, ULFL Thanks for your help, Keith. - Original Message - From: Ulf Lamping [EMAIL PROTECTED] To: Community support list for Wireshark wireshark-users@wireshark.org Sent: Sunday, February 04, 2007 7:11 PM Subject: Re: [Wireshark-users] V0.99.5 Coloring Rules Keith French wrote: I tried erasing all of them and re-importing my original ones and it is still the same. Sounds like your personal filters are just not used/found now - for whatever reasons. Do you have some special (international) characters in your personal profile folder c:\documents and settings\...? Could you try the following: - disable the global colorfilters file (e.g. c:\Program Files\colorfilters), e.g. rename it to something like colorfilters.old. After restarting Wireshark I guess you won't have any colors left. - send us a screenshot of your folders info, from Help/About Wireshark/Folders. Maybe there's something strange here. - send us your personal colorfilters file. So we can try it for ourself. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.24/668 - Release Date: 04/02/2007 01:30 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capturing packets in stealth mode on Windows
David Durgee wrote: I have downloaded and installed Wireshark 0.99.4 on a Windows 2000 system. I am able to capture packets on my ethernet interface with the interface enabled and in full operation, but if I disable the interface as I expect I will need to in order to operate stealthy the interface is not available to select for capture in Wireshark. Obviously, if you disable an interface - it's disabled :-) How do I need to configure things to be able to do what I need? Can I define another ethernet interface using the same NIC that has no protocols enabled on it and then swap which one is enabled? Do I need to disable all protocols on the existing interface for the capture and then manually re-enable them when I want to reconnect to the network? Disabling the TCP/IP stack of that interface should be usually enough to keep the interface quiet - however, never tried it myself if it's really quiet then. There are potentially a lot of services running on top of a network interface, some common today are: - TCP/IP (switch this off - this will prevent ARP, DNS, NBNS, ... to get on the network) - VPN (switch this off) - services to capture network traffic (should send no packets) - personal firewall software (should send no packets) Hope this helps, Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Y axis advanced fields
Persio Pucci wrote: Hello again, is there nay good documentation on how to use Wireshark's IO Graphs Y axis advanced fields? The best you can get is at http://www.wireshark.org/docs/wsug_html_chunked/ChStatIOGraphs.html Why not write it yourself and share it with us? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Opening Acterna WAN capture files in wireshark
Murali Raju wrote: Give ProConvert a shot - http://www.wildpackets.com/products/free_utilities/proconvert/overview I've added a link to the Wiki Tools and FileFormatReference pages. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] [ANNOUNCE] WinPcap 4.0 has been released
Persio Pucci wrote: Hey, maybe somebody asked for it already... but would that be possible to include in 0.99.5 a way to export IO graphs to any graphic file format (GIF, JPG, PNG, BMP, etc)? Definitely not in the 0.99.5 - it's in the release process quite ahead. Any new feature will be implemented if some of the developers will find the time and motivation to implement it. So don't expect anything here soon... Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Question on new U3P format of Wireshark
Erick B wrote: I downloaded this new U3P package and tried it on my U3 flash drive. When you run it, it installs WinPcap (regular WinPcap installer) and when you exit WireShark it brings up Uninstall WinPcap application. I was just testing it out, etc myself also, as I just recently picked up a U3 drive. I needed a bigger portable thumb drive and found a deal on one w/U3 - wasn't looking for U3 specifically. So for now I think I'll stick to using regular install of WireShark so I don't have to deal with WinPcap every time I use WireShark. AFAIK, it's enough to install WinPcap once on a machine, the u3p should use a WinPcap installation if available. In fact it didn't even bothered to ask me anything about WinPcap on a machine where it was already installed ... Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] 2 gig limit on mergecap
Daniel Goolsby wrote: I sifted through some of the archives but couldn't find anything whether this was going to be fixed. I started capturing all port 80 traffic.. every hour i send that tcpdump to another machine, so at the end of the day i wanted to merge all the traffic together in one nasty port 80 tcpdump file. regardless, mergecap stops at 2g. I made sure and compiled merge on a Sparc Sun box, i also recompiled zlib to make sure it was at least compiled on a 64bit machine- no telling if it had any real effect. regardless, it still stops after the 2 gig limit has been reached on the new dump file i'm trying to create. Are there any other tools that can merge tcpdump files that anyone knows of that doesn't have this limit? I could probably 'tcpreplay' the individual files on an interface that isn't being used, and tcpdump that one, but that's the only workaround i've thought up so far. Any suggestions/comments? Hi! Can only give some background infos here. I don't know if Sun Sparc 64 longs and/or ints are 64bits - if at least the longs are 64 bit it could work. zlib uses longs to keep file positions. I've *very recently* changed Wireshark/wiretap to use gint64 instead of longs (so 32bit platforms could work) - but couldn't test it if I found all appearances ... I didn't changed mergecap (and the other tools) so they might just use ints to keep file position - which is probably not enough. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How can I save the column with of the packet list window?
[EMAIL PROTECTED] wrote: Hello, I use the newest wireshark version and I added some columns to the packet list window and changed the width of these columes (Relative Time and Delta Time) to make them a little bit wider and be able to see the whole content. But if I close wireshark and open it again the columns are again too narrow. Does anybody know how I can save the column width? You cannot save the column width. There's already a buglist/wish list entry for this. You can use View/Resize Columns to automatically adjust the width, however this is slow for huge capture files. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] View Filter - Capture Filter
Stephen Fisher wrote: On Thu, Oct 26, 2006 at 04:49:45PM +1000, [EMAIL PROTECTED] wrote: Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr capture resulted in a lot of info. Even when splitting the data amongst multiple files resulted in 10Mb x 260 files. Opening this many files would be too much. I'm not sure of what the maximum file size WireShark can handle in opening, may give 150Mb a go instead of 10Mb multiple file sizes. This page gives some tips on improving performance when using large capture files: http://wiki.wireshark.org/Performance The size of capture file supported is only limited by the amount of RAM you have and CPU speed to process all of the packets. I don't think there is an official upper limit See: http://wiki.wireshark.org/KnownBugs/OutOfMemory Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark-0.99.4pre1 and tollbar icon size on windows platform
Mike Oliveras wrote: In previouos releases, I was able to change the size of the toolbar icons in wireshark by setting gtk-toolbar-icon-size = large-toolbar in the gtkrc file. see http://www.wireshark.org/lists/wireshark-users/200606/msg00021.html When I try the same with the wireshark-0.99.4pre1 release, the icons are still small... Is there another way to do this? Also, is there something I can do so that this preference will be remembered? Even in the previous releases, the gtkrc size preference is overwritten when I upgrade or reinstall wireshark. Are you sure you got the right gtkrc file? There are two of it. Don't ask me why, don't know myself too much details about this GTK specific. BTW: All GTK files are - so the whole file is also - overwritten by the installer, not only this setting - this is done as we don't have a mechanism to merge theses settings. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark-0.99.4pre1 and tollbar icon size on windows platform
Mike Oliveras wrote: That's the only gtkrc file that I am aware of. Based on the repsonse from Jaap when this question came up a while ago, he gave the path to the file as C:\Program Files\Wireshark\share\themes\Default\gtk-2.0\gtkrc. This was given in http://www.wireshark.org/lists/wireshark-users/200606/msg00021.html. This did work for me in the previous release. You got the right file. I've tried to change it on my machine with the pre1 and it works just as expected (showing large icons now). I don't know what's wrong with your machine/installation ?!? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
Hans Nilsson wrote: Hello, I recently read the document Promiscuous node detection using ARP packets [1] about detecting network cards in promiscuous mode and sniffers with custom-built ARP-packets. For example tools like Cain and Abel [2] has that capability. But I was wondering if this actually works against Wireshark? When I do ifconfig my network card is not listed as being in promiscuous mode but under options in Wireshark the card is in promiscuous mode and I can receive all the traffic on my LAN. So is this not a problem anymore since the NIC doesn't have to be manually set to promiscuous mode, Wireshark can do that on it's own and therefore won't be detected by the ARP-technique? [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm First of all, on todays switched networks, the promiscuous mode has a lot less effect than it has on shared networks (e.g. ancient coax Ethernet) - using promiscuous mode will often have no effect (but this depends on your setup, see: http://wiki.wireshark.org/CaptureSetup/Ethernet). Using promiscuous mode disables a hardware filter of the network interface. It's switched on/off by ifconfig or Wireshark (through libpcap/WinPcap) the same way, so it doesn't make *any difference* which software switched it. Wireshark capture options won't show you the current state of the promisc. mode, but what it will use for capturing. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] VoIP analysis and assessment
Jacques, Olivier (OpenCall Test Infra) wrote: Yes, Wireshark can re-construct the audio, but it's without the jitter-buffer of the client device in mind. It merely strings the RTP packets together and makes a WAV file. I learned this the hard way. This is not true anymore. The VoIP Calls/RTP Player feature (as available in latest development releases of Wireshark 0.99.4) allows to reconstruct the audio _with_ jitter buffer in mind. It works this way: - You specify the jitter buffer size (in ms) - You press Decode button: Wireshark re-construct the audio. - RTP packets with an excessive jitter are dropped - The number of RTP packets dropped are counted and displayed - You can listen to resulting audio from within Wireshark See picture attached. Of course, this doesn't take into account other client-side parameters like adaptive jitter buffer, bad clocking, bad RTP implementation, ... Last warning, RTP player supports G711 A/u law codecs at the moment. It is possible to add your own codecs, the RTP player feature being well designed for that, but codecs licensing issues will certainly prevent many codecs to be included in Wireshark. Olivier. Shouldn't this info be included in the wiki (it's documented nowhere else AFAIK)? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] IEC 60870-5-104 Plugin?
[EMAIL PROTECTED] wrote: Hello everybody, Today I am mostly using another tool for listening to IEC60870-5-104 but have realized that it would be perfect to be able to use Ethereal for that as well,¨ therefore I am looking for an IEC60870-5-104 plugin for Ethereal. Never heard of that, so it probably won't exist. If not available perhaps someone could help me with directions to write my own plugin. See: http://wiki.wireshark.org/Development Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Windows installer bug: Users shouldn't have to accept GNU GPL
Shawn Willden wrote: This may seem like a minor point, but I think it's significant, because it perpetuates the idea that you have to virtually sign some agreement before you can use some software. Much of the point of the GPL is to show that there is another way (and, we think, a *better* way), so it's unfortunate to have GPL software reinforcing the wrong idea. I understand your point and mostly agree to it. My suggestion is to retain the display of the GPL upon installation, but put a heading on top that is something like: This is Free Software, and you are free to use it all you like, with no restrictions or conditions. If you want to give copies of it to other people, or to change it, you can do that, too, but there are some limitations designed to make sure that whoever you give it to has the same freedoms you do. The details are described below: I don't think it will help the users in the long run, that any GPL'ed program will add it's own interpretation to the GPL! Otherwise you'll end up just like the myriad of slightly different BSD like licenses floating around. Let the user learn the GPL once, so he can apply it's knowledge without rethinking a slightly enhanced license again and again. There are far too many open source licenses already floating around. Also, the Accept button (or is it Agree? I'd have to go look again) should say Okay or perhaps even better Dismiss. Comments? I wouldn't have any problem if someone changes the Accept to an Ok button (however, it will be some more work than it seems IMO). Dismiss is an unexpected term, as a not native english speaker I would expect the installer to terminate in that case. But: I don't like the idea to add any interpretation to the GPL! I'm not a lawyer and I don't know what this will actually mean in lawyers speak and don't want to have any surprise. The developers (including myself) put this software under the GPL and so be it! I don't like the idea to add any interpretation of this license in the installer or elsewhere! Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter tcp port 20 and port 21
i want to capture ftp download from a server to a client. what is the capture filter to be used at both server and client so i can get only traffic from/to port 20 and port 21? i tried this -- tcp port 20 and tcp port 21 but no traffic is captured. The correct syntax for what you thought of would be: tcp port 20 or tcp port 21 However, As the data port will often be negotiated (aka varies from transfer to transfer), you'll often won't be able to use a capture filter for this as you won't capture the data portion, see: http://wiki.wireshark.org/FTP Regards, ULFL _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wireshark and Windows Domain Members
I have a Windows system with a Samba Domain Controller and Windows XP clients. I notice that I cannot run Wireshark (latest download) where a Domain Logon (as domain admin) is used - no error message occurs, the cursor 'egg-timer' appears and then reverts to normal - in task manager, Isee 'wireshark.exe' briefly appear and then disappear. A local logon to the same PC allows Wireshark to run. This is not (at least, directly) a windows permission problem, as I have my domain admins also entered under the local admin group and Ethereal (0.99.0)works fine (I just wanted to update to Wireshark). Has anyone else seen this and/or is there a solution ?? There's a similar bug report at: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1096, I've attached your post to it. You may attach any new infos to that bug report. However, I use a domain login and don't have such problems ... Without having a developer machine with that problem and no further information about the bug it will be difficult to find a solution :-( Regards, ULFL _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Wiki/Link issue
That's a known bug, see http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1060 Regards, ULFL _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] API and virtual network interface
Steffen Röttig wrote: do you know something about writing a virtual network card? regards, steff Well, not really. Basically you'll need a kernel mode device driver that will fake the system to be a network card. On Windows you'll probably need the Windows NT-DDK (device driver kit) which isn't freely available. I've never done this myself (except for a DOS device driver for my own diploma several years ago) so I won't be much help here. In general, writing a kernel mode device driver isn't usually an easy task. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] API and virtual network interface
Steffen Röttig wrote: hello, i have two questions for my exam (germany - diplom) ... 1. i didn't find something about a API to control wireshark from a external program. did i slipped the part or is it in another document? There's currently no API to control wireshark. You may control wireshark by some general purpose GUI macro recorder, but I don't know any personally. 2. have anyone practical knowledge to create a network interface? i have to write an interface that receive packages from a external programm. this interface must recognize from winpcap as a device. is this possible? That won't be easy I would guess. You could patch libpcap/WinPcap or write a virtual network card driver that provides something like that to the operating system. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark ssl decryption for dummies
ronnie sahlberg wrote: On 9/12/06, Andrew Schweitzer [EMAIL PROTECTED] wrote: Hello, I'm trying to decrypt some SSL traffic. The connection initiator talk to port 37000. It talks a proprietary protocol (one not present in wireshark). I have the keys of the initiator and the listener. I am capturing on the listener. What should my RSA keys list be? Should it be: 127.0.0.1,3700,3700,e:\keys\initiator.key? or maybe I don't get decrypted data in either case. SSL log says, in second case: ===Begin SSL log=== ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key ssl_get_version: 1.5.0 ssl_init private key file c:\keys\initiator.key successfully loaded association_add port 37000 protocol 37000 handle ===End SSL log=== Can decryption only occur if the conversation is sniffed from its beginning? yes Do I need both initiator and listener keys? no the servers key should be sufficient Why is there both a port and protocol specified? How would you the protocol is used to tell wireshark what the next payload is, i.e. what is inside the ssl wrapping differentiate two protocols on the same port? What if the protocol is unknown, (or at least there's no dissector for it?) then you can probably specify data instead to use the data dissector try: 127.0.0.1,3700,data,e:\keys\server.key Thanks ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users Hi Ronnie! As you seem to be the one with some knowledge about the SSL stuff, is there a place where all this is explained? I get the feeling that a lot of current stuff will only be usable to the developers, as no one else get a clue how it's working (including me :-). Could you start a Wiki page about how to use the SSL stuff? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Using with a switch
Our network runs with a switch. Can Wireshark pick up all the connected stations? I'm only seeing my own machine's traffic now. Can that be changed? If so, how? No, unless you do some very nasty things (e.g. ARP poisoning, which can easily confuse your whole network). See: http://wiki.wireshark.org/CaptureSetup and especially http://wiki.wireshark.org/CaptureSetup/Ethernet for your options to change this. Regards, ULFL ___ Viren-Scan für Ihren PC! Jetzt für jeden. Sofort, online und kostenlos. Gleich testen! http://www.pc-sicherheit.web.de/freescan/?mc=02 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] protocol perferences
From earlier this month, in the latest SVN builds, I found that I could no longer jump to certain protocol's perference by right clicking on a line in the mid-windows and selecting protocol perferences while reviewing the trace. Is that a design change or just my own problem? it is still happening in Version 0.99.4-SVN-19058 (SVN Rev 19058), windows xp sp2. By mistake, there's already a bugzilla entry for this. Regards, ULFL _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Does Wireshark work on Windows XP Tablet PC and/or XP Media Center?
Hi List! Just wanted to know if someone is working on these systems? Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Persistent Interface Comments?
-Ursprüngliche Nachricht- Von: Community support list for Wireshark wireshark-users@wireshark.org Gesendet: 15.08.06 13:06:00 An: wireshark-users@wireshark.org Betreff: [Wireshark-users] Persistent Interface Comments? Does anyone know how to make the interface comments field persistent when running Ethereal 0.99.0 under Windows? I've got 6 interfaces on the box running Ethereal, each raw into different VLANS. Downside, they happen to all be the same manufacturer and the Check the MAC address against the text file is starting to get old as a solution. Adding the comments into the preferences capture screen works fine but you have to configure that each time you start ethereal, which is quite unhandy. Is there a workaround here that doesn't involve a recompile? Well, maybe press the Save button in the Preferences dialog? Regards, ULFL __ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] V0.99.2 File Save As Problem
With the current version of Wireshark (0.99.2), there seems to be a problem with the Save As option from the File menu. That's a known bug, see http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=927 Regards, ULFL __ Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach! Mehr Infos unter http://freemail.web.de/home/landingpad/?mc=021131 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users